From afdb39e5f6f38c179ce5ddc6ee54238ac5ba7852 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 11 Nov 2010 08:59:37 +0100 Subject: [PATCH] Print an error if the protocol field of a signature contains a unknown/invalid value. --- src/detect-parse.c | 34 +++++++++++++++++++++++++++------- src/util-error.h | 2 +- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/src/detect-parse.c b/src/detect-parse.c index c718879daa..c3402063ad 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -717,6 +717,8 @@ error: * \retval -1 On failure */ int SigParseProto(Signature *s, const char *protostr) { + SCEnter(); + int r = DetectProtoParse(&s->proto, (char *)protostr); if (r < 0) { s->alproto = AppLayerGetProtoByName(protostr); @@ -736,13 +738,15 @@ int SigParseProto(Signature *s, const char *protostr) { } als = als->next; } - return 0; + SCReturnInt(0); } - return -1; + SCLogError(SC_ERR_UNKNOWN_PROTOCOL, "protocol \"%s\" cannot be used " + "in a signature", protostr); + SCReturnInt(-1); } - return 0; + SCReturnInt(0); } /** @@ -852,7 +856,11 @@ int SigParseAction(Signature *s, const char *action) { } } -int SigParseBasics(Signature *s, char *sigstr, char ***result, uint8_t addrs_direction) { +/** + * \internal + * \brief split a signature string into a few blocks for further parsing + */ +static int SigParseBasics(Signature *s, char *sigstr, char ***result, uint8_t addrs_direction) { #define MAX_SUBSTRINGS 30 int ov[MAX_SUBSTRINGS]; int ret = 0, i = 0; @@ -863,7 +871,7 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result, uint8_t addrs_dir ret = pcre_exec(config_pcre, config_pcre_extra, sigstr, strlen(sigstr), 0, 0, ov, MAX_SUBSTRINGS); if (ret != 8 && ret != 9) { - printf("SigParseBasics: pcre_exec failed: ret %" PRId32 ", sigstr \"%s\"\n", ret, sigstr); + SCLogDebug("pcre_exec failed: ret %" PRId32 ", sigstr \"%s\"", ret, sigstr); goto error; } @@ -903,7 +911,8 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result, uint8_t addrs_dir /* For "ip" we parse the ports as well, even though they will be just "any". * We do this for later sgh building for the tcp and udp protocols. */ if (DetectProtoContainsProto(&s->proto, IPPROTO_TCP) || - DetectProtoContainsProto(&s->proto, IPPROTO_UDP)) { + DetectProtoContainsProto(&s->proto, IPPROTO_UDP)) + { if (SigParsePort(s, arr[CONFIG_SP], SIG_DIREC_SRC ^ addrs_direction) < 0) goto error; if (SigParsePort(s, arr[CONFIG_DP], SIG_DIREC_DST ^ addrs_direction) < 0) @@ -927,6 +936,17 @@ error: return -1; } +/** + * \brief parse a signature + * + * \param de_ctx detection engine ctx to add it to + * \param s memory structure to store the signature in + * \param sigstr the raw signature as a null terminated string + * \param addrs_direction direction (for bi-directional sigs) + * + * \param -1 parse error + * \param 0 ok + */ int SigParse(DetectEngineCtx *de_ctx, Signature *s, char *sigstr, uint8_t addrs_direction) { SCEnter(); @@ -1216,7 +1236,7 @@ static int SigValidate(Signature *s) { continue; if (fd->flags & FLOW_PKT_TOCLIENT) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent with flow:to_client or flow:from_server"); + SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use uricontent / http_uri with flow:to_client or flow:from_server"); SCReturnInt(0); } } diff --git a/src/util-error.h b/src/util-error.h index f35fab7337..fbf1a57f16 100644 --- a/src/util-error.h +++ b/src/util-error.h @@ -149,7 +149,7 @@ typedef enum { SC_ERR_MUTEX, SC_ERR_REPUTATION_INVALID_OPERATION, SC_ERR_REPUTATION_INVALID_TYPE, - SC_ERR_UNKNOWN_PROTOCOL, + SC_ERR_UNKNOWN_PROTOCOL, /**< signature contains invalid protocol */ SC_ERR_UNKNOWN_RUN_MODE, SC_ERR_MULTIPLE_RUN_MODE, SC_ERR_BPF,